# api-relay-audit — Audit AI API Relays for Prompt Attacks > Local 13-step audit for AI API relays/proxies: injection/leakage, context truncation, tool rewriting; verified 419★, pushed 2026-05-11. ## Install Paste the prompt below into your AI tool: ## Quick Use ```bash curl -sO https://raw.githubusercontent.com/toby-bridges/api-relay-audit/master/audit.py python audit.py --key --url --output report.md # Web3 / wallet profile: python audit.py --key --url --profile web3 --output report.md ``` ## Intro Local 13-step audit for AI API relays/proxies: injection/leakage, context truncation, tool rewriting; verified 419★, pushed 2026-05-11. **Best for:** Teams evaluating AI API gateways/relays before routing production traffic **Works with:** Any relay exposing an OpenAI-compatible base URL + an API key; Python runtime to run `audit.py` **Setup time:** 10-20 minutes ### Key facts (verified) - GitHub: 419 stars · 41 forks · pushed 2026-05-11. - License: MIT · owner avatar + repo URL verified via GitHub API. - README-backed entrypoint: `python audit.py --key --url --output report.md`. ## Main - Treat it as a pre-flight checklist for any API relay/proxy: run once, archive the Markdown report, then re-run after provider updates. - Use the built-in profiles (`general`, `web3`, `full`) to match your threat model and cost/time budget. - Focus on relay integrity signals it tests for (prompt leakage, instruction override, context truncation, tool-call rewriting, SSE anomalies). - Share the report with security + platform teams and require a “no HIGH findings” gate before production rollout. ### Source-backed notes - README states it runs a local 13-step audit and outputs a structured Markdown report. - README lists three runtime profiles: `general`, `web3`, and `full`. - Quick Start in README uses a standalone `audit.py` downloaded via `curl` and executed with Python. ### FAQ - **Does it require installing a package?**: No — README provides a standalone `audit.py` you can download and run locally. - **What do I give it?**: A provider API key and the relay/proxy base URL; the script runs a predefined audit sequence. - **How often should I run it?**: Run before onboarding a relay and re-run after provider updates, config changes, or incidents. ## Source & Thanks > Source: https://github.com/toby-bridges/api-relay-audit > License: MIT > GitHub stars: 419 · forks: 41 --- ## Quick Use ```bash curl -sO https://raw.githubusercontent.com/toby-bridges/api-relay-audit/master/audit.py python audit.py --key --url --output report.md # Web3 / wallet profile: python audit.py --key --url --profile web3 --output report.md ``` ## Intro api-relay-audit 提供本地 13 步审计流程,用于评估第三方 AI API 中转/代理是否存在提示词注入、泄露、截断与工具调用篡改;已验证 419★,更新于 2026-05-11。 **Best for:** 在把流量切到第三方 AI API 网关/中转前想做安全评估的团队 **Works with:** 任意提供 base URL + key 的第三方中转/代理(含 OpenAI 兼容接口);用 Python 运行 `audit.py` **Setup time:** 10-20 minutes ### Key facts (verified) - GitHub:419 stars · 41 forks;最近更新 2026-05-11。 - 许可证:MIT;作者头像与仓库链接均已通过 GitHub API 复核。 - README 中可对照的入口命令:`python audit.py --key --url --output report.md`。 ## Main - 把它当成“接入第三方中转前的安全体检”:跑一次生成 Markdown 报告,后续按版本/配置变更复跑对比。 - 按 README 的三种 profile(`general` / `web3` / `full`)选择覆盖面与成本/时间预算。 - 重点看它关注的 relay 完整性信号:提示词泄露、指令覆盖、上下文截断、工具调用重写、SSE 流异常等。 - 把报告交给安全与平台团队,设定上线门槛(例如不允许出现 HIGH 级结论)。 ### Source-backed notes - README 说明它提供本地 13 步审计并输出结构化 Markdown 报告。 - README 列出三种运行 profile:`general`、`web3`、`full`。 - README 的 Quick Start 通过 `curl` 下载独立 `audit.py` 并用 Python 运行。 ### FAQ - **需要安装 Python 包吗?**:不需要;README 提供可直接下载运行的独立 `audit.py`。 - **我需要提供哪些信息?**:提供 API key 与中转/代理的 base URL;脚本会按既定步骤完成审计并生成报告。 - **建议多久跑一次?**:接入前必跑;供应商更新、配置变更或出现安全事件后建议复跑对比。 ## Source & Thanks > Source: https://github.com/toby-bridges/api-relay-audit > License: MIT > GitHub stars: 419 · forks: 41 --- Source: https://tokrepo.com/en/workflows/api-relay-audit-audit-ai-api-relays-for-prompt-attacks Author: Script Depot